Monday, December 4, 2023

Winnti APT Hacker Group Attacks Video Gaming Companies Using PipeMon Malware

Winnti group has been active at least since 2012 and specializes in cyberattacks against the online video game industry. The main goal of the hacker group is to steal the source code of online game projects as well as digital certificates.

The group is also responsible for high-profile supply-chain attacks against software companies that result in the distribution of trojanized software.

Winnti Group Attacks

Starting from 2019, the Winnti group started using PipeMon malware since 2019, to compromise various software companies.

ESET researchers observed that the current campaign targets video game developers who developing MMO (Massively Multiplayer Online) games based in South Korea and Taiwan.

The attacker tries to compromise the company’s build orchestration server which allows attackers to take control of the automated build systems. This would allow attackers to include arbitrary code of their choice in the video game executables.

ESET observed that the certificate used to sign the PipeMon installer, modules, and additional tools is linked to a video game company that was compromised in a supply-chain attack in late 2018 by the Winnti Group and was likely stolen at that time.

The first stage of the malware is a password-protected RARSFX executable and the password is different from each sample.

Winnti APT Hacker Group

Once the password-protected file sis extracted, setup.exe main executable get’s executed, it’s purpose is to load the setup.dll file.

Following are the files with RARSFX

  • rLnc.dat – Encrypted payload
  • Duser.dll – Used for UAC bypass
  • osksupport.dll – Used for UAC bypass
  • PrintDialog.dll – Used for the malicious print processor initialization
  • PrintDialog.exe – Legitimate Windows executable used to load PrintDialog.dll
  • setup.dll – Installation DLL
  • setup.exe – Main executable

To maintain the persistence setup.dll registers the malicious DLL loader as an alternative Print Processor by adding registry keys.

Once it got registered it restarts the print spooler service (spoolsv.exe) so that the malicious DLL loader loads every time when spoolsv.exe starts.

C&C Communication

The module was named PipeMon as it contains inter-module communication, to its PDB path, and the name of the Visual Studio project named by developers.

ESET researchers observed that “Inter-module communication is performed via named pipes, using two named pipes per communication channel between each individual module, one for sending and one for receiving.”

The communication module with loader responsible for establishing C&C communication, all the data transferred are encrypted using RC4 with the hardcoded key Com!123Qasdz.

To initiate C&C communication following are the details shared first includes;

  • OS version
  • Physical addresses of connected network adapters concatenated with %B64_TIMESTAMP%
  • the victim’s local IP address
  • backdoor version/campaign ID; we’ve observed the following values
  • “”
  • “”
  • “”
  • Victim computer name

The malware modules are signed with Stolen valid code-signing certificate, now the certificate was revoked by the user after notification from ESET.

The new attack shows that Winnti Group uses a new set of tools using multiple open-source projects and they are targeting Massively Multiplayer Online developer companies.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Latest articles

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles